feat: complete tOS project with HR, LEAN, Dashboard and Integrations modules

Full enterprise web operating system including:
- Next.js 14 frontend with App Router, i18n (DE/EN), shadcn/ui
- NestJS 10 backend with Prisma, JWT auth, Swagger docs
- Keycloak 24 SSO with role-based access control
- HR module (employees, time tracking, absences, org chart)
- LEAN module (3S planning, morning meeting SQCDM, skill matrix)
- Integrations module (PlentyONE, Zulip, Todoist, FreeScout, Nextcloud, ecoDMS, GembaDocs)
- Dashboard with customizable drag & drop widget grid
- Docker Compose infrastructure (PostgreSQL 16, Redis 7, Keycloak 24)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker/.env.example

@@ -0,0 +1,16 @@
+# Docker Compose Environment Configuration
+# Copy this file to .env in the docker/ directory
+
+# PostgreSQL
+POSTGRES_USER=tos_user
+POSTGRES_PASSWORD=tos_secret_password
+POSTGRES_DB=tos_db
+POSTGRES_PORT=5432
+
+# Redis
+REDIS_PORT=6379
+
+# Keycloak
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=admin
+KEYCLOAK_PORT=8080

docker/docker-compose.yml

@@ -0,0 +1,119 @@
+# =============================================================================
+# tOS Docker Compose Configuration
+# =============================================================================
+# Usage:
+#   Start:   docker compose up -d
+#   Stop:    docker compose down
+#   Logs:    docker compose logs -f [service]
+#   Reset:   docker compose down -v && docker compose up -d
+# =============================================================================
+
+name: tos
+
+services:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Database
+  # ---------------------------------------------------------------------------
+  postgres:
+    image: postgres:16-alpine
+    container_name: tos-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-tos_user}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tos_secret_password}
+      POSTGRES_DB: ${POSTGRES_DB:-tos_db}
+      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
+    ports:
+      - "${POSTGRES_PORT:-5432}:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # Redis Cache & Queue
+  # ---------------------------------------------------------------------------
+  redis:
+    image: redis:7-alpine
+    container_name: tos-redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --appendonly yes
+      --maxmemory 256mb
+      --maxmemory-policy allkeys-lru
+    ports:
+      - "${REDIS_PORT:-6379}:6379"
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 5s
+    networks:
+      - tos-network
+
+  # ---------------------------------------------------------------------------
+  # Keycloak Identity & Access Management
+  # ---------------------------------------------------------------------------
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: tos-keycloak
+    restart: unless-stopped
+    command:
+      - start-dev
+      - --import-realm
+    environment:
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
+      KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-tos_secret_password}
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_PORT: ${KEYCLOAK_PORT:-8080}
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HTTP_ENABLED: "true"
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+      KC_LOG_LEVEL: INFO
+    ports:
+      - "${KEYCLOAK_PORT:-8080}:8080"
+    volumes:
+      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
+    healthcheck:
+      # Keycloak 24+ nutzt /health/ready Endpoint
+      # Verwendet bash redirect da curl nicht in UBI9 enthalten ist
+      test: >
+        bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
+        echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
+        timeout 2 cat <&3 | grep -q "200 OK"'
+      interval: 30s
+      timeout: 15s
+      retries: 5
+      start_period: 90s
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - tos-network
+
+volumes:
+  postgres_data:
+    name: tos-postgres-data
+  redis_data:
+    name: tos-redis-data
+
+networks:
+  tos-network:
+    name: tos-network
+    driver: bridge

docker/keycloak/realm-export.json

@@ -0,0 +1,208 @@
+{
+  "id": "tos",
+  "realm": "tOS",
+  "displayName": "tOS - Enterprise Web Operating System",
+  "displayNameHtml": "<strong>tOS</strong> Enterprise",
+  "enabled": true,
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "rememberMe": true,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "bruteForceProtected": true,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "failureFactor": 5,
+  "defaultSignatureAlgorithm": "RS256",
+  "accessTokenLifespan": 300,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "roles": {
+    "realm": [
+      {
+        "name": "admin",
+        "description": "Full administrative access to all tOS features",
+        "composite": true,
+        "composites": {
+          "realm": ["hr-manager", "manager", "department_head", "team-lead", "employee"]
+        }
+      },
+      {
+        "name": "hr-manager",
+        "description": "HR management with access to employee data, absences, and time tracking",
+        "composite": true,
+        "composites": {
+          "realm": ["employee"]
+        }
+      },
+      {
+        "name": "manager",
+        "description": "Management access with cross-department visibility",
+        "composite": true,
+        "composites": {
+          "realm": ["department_head", "employee"]
+        }
+      },
+      {
+        "name": "department_head",
+        "description": "Department lead with team management capabilities",
+        "composite": true,
+        "composites": {
+          "realm": ["team-lead", "employee"]
+        }
+      },
+      {
+        "name": "team-lead",
+        "description": "Team lead with direct reports management",
+        "composite": true,
+        "composites": {
+          "realm": ["employee"]
+        }
+      },
+      {
+        "name": "employee",
+        "description": "Standard employee access to basic features",
+        "composite": false
+      }
+    ]
+  },
+  "groups": [
+    {
+      "name": "Administrators",
+      "path": "/Administrators",
+      "realmRoles": ["admin"]
+    },
+    {
+      "name": "Management",
+      "path": "/Management",
+      "realmRoles": ["manager"]
+    },
+    {
+      "name": "Departments",
+      "path": "/Departments",
+      "subGroups": [
+        { "name": "Sales", "path": "/Departments/Sales", "realmRoles": ["employee"] },
+        { "name": "Accounting", "path": "/Departments/Accounting", "realmRoles": ["employee"] },
+        { "name": "Warehouse", "path": "/Departments/Warehouse", "realmRoles": ["employee"] },
+        { "name": "Logistics", "path": "/Departments/Logistics", "realmRoles": ["employee"] },
+        { "name": "Engineering", "path": "/Departments/Engineering", "realmRoles": ["employee"] },
+        { "name": "IT", "path": "/Departments/IT", "realmRoles": ["employee"] },
+        { "name": "Executive", "path": "/Departments/Executive", "realmRoles": ["manager"] },
+        { "name": "Executive-Assistant", "path": "/Departments/Executive-Assistant", "realmRoles": ["employee"] },
+        { "name": "HR", "path": "/Departments/HR", "realmRoles": ["employee"] },
+        { "name": "Procurement", "path": "/Departments/Procurement", "realmRoles": ["employee"] }
+      ]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "tos-frontend",
+      "name": "tOS Frontend Application",
+      "enabled": true,
+      "publicClient": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "protocol": "openid-connect",
+      "secret": "${KEYCLOAK_FRONTEND_CLIENT_SECRET:-tos-frontend-secret-CHANGE-IN-PRODUCTION}",
+      "rootUrl": "http://localhost:3000",
+      "baseUrl": "http://localhost:3000",
+      "redirectUris": ["http://localhost:3000/*", "http://127.0.0.1:3000/*"],
+      "webOrigins": ["http://localhost:3000", "http://127.0.0.1:3000"],
+      "attributes": {
+        "pkce.code.challenge.method": "S256",
+        "post.logout.redirect.uris": "http://localhost:3000/*"
+      },
+      "defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
+    },
+    {
+      "clientId": "tos-backend",
+      "name": "tOS Backend API",
+      "enabled": true,
+      "publicClient": false,
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "protocol": "openid-connect",
+      "secret": "${KEYCLOAK_BACKEND_CLIENT_SECRET:-tos-backend-secret-CHANGE-IN-PRODUCTION}",
+      "rootUrl": "http://localhost:3001",
+      "baseUrl": "http://localhost:3001",
+      "redirectUris": ["http://localhost:3001/*"],
+      "webOrigins": ["http://localhost:3001"],
+      "defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
+    }
+  ],
+  "users": [
+    {
+      "username": "admin",
+      "email": "admin@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "System",
+      "lastName": "Administrator",
+      "credentials": [{ "type": "password", "value": "admin123", "temporary": true }],
+      "realmRoles": ["admin"],
+      "groups": ["/Administrators"]
+    },
+    {
+      "username": "manager",
+      "email": "manager@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Max",
+      "lastName": "Manager",
+      "credentials": [{ "type": "password", "value": "manager123", "temporary": true }],
+      "realmRoles": ["manager"],
+      "groups": ["/Management"]
+    },
+    {
+      "username": "depthead",
+      "email": "depthead@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Diana",
+      "lastName": "DepartmentHead",
+      "credentials": [{ "type": "password", "value": "depthead123", "temporary": true }],
+      "realmRoles": ["department_head"],
+      "groups": ["/Departments/IT"]
+    },
+    {
+      "username": "employee",
+      "email": "employee@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Eva",
+      "lastName": "Employee",
+      "credentials": [{ "type": "password", "value": "employee123", "temporary": true }],
+      "realmRoles": ["employee"],
+      "groups": ["/Departments/IT"]
+    },
+    {
+      "username": "hrmanager",
+      "email": "hrmanager@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Hannah",
+      "lastName": "HRManager",
+      "credentials": [{ "type": "password", "value": "hrmanager123", "temporary": true }],
+      "realmRoles": ["hr-manager"],
+      "groups": ["/Departments/HR"]
+    },
+    {
+      "username": "teamlead",
+      "email": "teamlead@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Tim",
+      "lastName": "TeamLead",
+      "credentials": [{ "type": "password", "value": "teamlead123", "temporary": true }],
+      "realmRoles": ["team-lead"],
+      "groups": ["/Departments/Engineering"]
+    }
+  ],
+  "internationalizationEnabled": true,
+  "supportedLocales": ["de", "en"],
+  "defaultLocale": "de"
+}